IEEE 802.

11 WLAN

CONTENTS :
IEEE 802.11 architecture
Architecture components
802.11 layers description
The basic access method CSMA/CA
Fragmentation and reassembly
Inter frame space

How does a station join an existing

cell (BSS) ?
Network Initialization And Maintenance
Security
Power saving

INTRODUCTION
802.11 (WiFi) wireless accesses, users face with the
necessity of maintaining a continuous connection to
the network while moving.
IEEE 802.11 WLAN provide not only convenient
network connectivity but also a high speed link up to
11 Mbps (802.11b). we are concerned with the IEEE
802.11b network which operates in the 2.4 GHz band.
In this band, a proper deployment typically uses only
the three non overlapping independent channels (1, 6,
and 11).
The transmission range of a typical WiFi device is upto
100m and can emit the power upto 20dBm(or 100mW)

IEEE 802.11 Architecture Components

The access to an 802.11
network can be achieved in
two different modes,
depending on the nature of
the point of attachment
A mobile station (MS) can
form spontaneous networks
(AD-HOC MODE) or it can get
connected to an access point
(AP) which is directly
connected to a backbone
(INFRASTRUCTURE MODE).
An AP and associated mobile
stations form a Basic
Service Set (BSS)
communicating on the

A collection of APs (connected through a distribution

system DS) can extend a BSS into an Extended
Service Set

IEEE 802.11 PROTOCOL

ARCHITECTURE
MAC Layer:

Provides access to contention based and contention-free traffic

on different kinds of physical layers.

MAC layer responsibilities are divided into MAC sub layer and
MAC management sub-layer.

MAC sub layer defines access mechanisms and packet formats.

MAC management sub-layer defines power management,

security and roaming services.
PHY Layer:
The Physical layer is divided into three sub layers
The PLCP acts as an adaption layer The PLCP is
responsible for CCA and building packets for different
physical layer technologies
The PMD layer specifies modulation and coding
techniques
The PHY management layer takes care of the
management issues like channel tuning.
Station management sub layer is responsible for coordination of interactions between the MAC and PHY
layers

802.11 LAYERS
DESCRIPTION
802.11 protocol covers the MAC and Physical layer,
the standard currently defines a single MAC which
interacts with three PHYs.
Frequency Hoping Spread Spectrum in the 2.4GHz
band (FHSS)
Direct Sequence Spread Spectrum in the 2.4GHz band
(DSSS)
InfraRed (IR)

802.11 MAC performs other functions that are

typically related to upper layer protocols such as
fragmentation, packet retransmissions and
acknowledges. This layer defines two access
methods.
Distributed coordination function (DCF)
Point coordination function (PCF)

 The basic access mechanism called Distributed

coordination function (DCF) is basically a carrier
sense multiple access with collision avoidance
mechanism.(CSMA/CA)
CSMA/CA attempts to avoid collisions by using
explicit packet acknowledgment (ACK), which
means an ACK packet is sent by the receiving
station to confirm that the data packet arrived
intact.

LOGICAL SERVICE
INTERFACES
Services Specified by IEEE 802.11
A point-to-point bridge connecting LANs in two
separate buildings could become a DS.
While the implementation for the DS is not
specified, 802.11 does specify the services, which
the DS must support. Services are divided into
two sections
Station Services (SS)
Distribution System Services (DSS)

Both categories of service are used by the IEEE

802.11 MAC sub layer.

Station Services (SS):

All 802.11 compliant wireless stations (STAs) must implement
the four station services defined in the IEEE specification. The
STAs include APs and wireless routers with AP functionality .
The services are:
Authentication - A wireless station needs to be identified
before it can access network services. This process is called
authentication. It is a required state that comes before the STA
may enter the association state.
Deauthentication - This service voids an existing
authentication.
Privacy - A wireless station must be able to encrypt frames in
order to protect message content so that only the intended
recipient can read it.
MAC Service Data Unit (MSDU) Delivery - An MSDU is a
data frame that must be transmitted to the proper destination.

Distribution System Services (DSS):

A wireless station that functions as an access point must
implement the four station services plus the distribution system
services listed here:
Association - This service establishes an AP/STA mapping after
mutually agreeable authentication has taken place between the
two wireless stations. A STA can only associate with one AP at a
time. This service is always initiated by the wireless station and
when successfully completed enables station access to the DSS.
Reassociation - This service moves a current association from
one AP to another AP.
Disassociation - This service voids a current association.
Distribution - This service handles delivery of MSDUs within
the distribution system; i.e., the exchange of data frames
between APs in an extended service set (ESS).
Integration - This service handles delivery of MSDUs between
the distribution system and a wired LAN on the other side of a
portal. Basically this is the bridging function between wireless
and wired networks.

State Variables :
Each wireless station maintains two state
variables, one for authentication and one for
association. A wireless station is authenticated or
unauthenticated. Once in an authenticated state,
the STA is either associated or unassociated.
These variables create three states:
State 1: Unauthenticated and unassociated.
State 2: Authenticated, not associated.
State 3: Authenticated and associated.
The state of the wireless station determines which
MAC frames are admissible. This information could
be useful when debugging with a packet sniffer.

NETWORK INITIALIZATION AND

MAINTAINANACE
From a mobile systems perspective, the steps are:
NETWORK DISCOVERY: finding a network system
using the same radio characteristics like BSSType,
BSSID, SSID, ScanType, ChannelList, ProbeDelay,
MinChannelTime, and MaxChannelTime. With which
the MS can try to establish connectivity.
NETWORK INITIALISATION: establishing some sort
of air link and network context so as to enable
more connections to Rx and Tx data.
CONNECTION SETUP: ability to establish
connections for Tx and Rx data
HAND OVER( or HAND OFF): ability to carry out
handover between neighbouring BSs of network
to enable continuous service.

SCANNING METHODS
There are two kinds of scanning
methods defined in the
standard: active and passive.
PASSIVE SCANNING:
1. Scanning is the first step for the
MC(Mobile Clients) to join an Aps
network.
2. In the case of passive scanning
the client just waits to receive a
Beacon Frame from the AP
3. MC (Mobile Clients) searching for
a network by just listens for
beacons until it finds a suitable
network to join.

 ACTIVE SCANNING:
1. The MC (Mobile Clients) tries to
locate an AP by transmitting
Probe Request Frames , and waits
for Probe Response from the AP.
2. The probe request frame can be
a directed or a broadcast probe
request.
3. The probe response frame from
the AP is similar to the beacon
frame.
4. Based on the response from the
AP, the client makes a decision
about connecting to the AP

WIFI SCANNING PROCESS

Within the 802.11 ACTIVE scanning phase,
Using the normal channel access procedure, Carrier Sense
Multiple Access with Collision Avoidance (CSMA/CA), gain control
of wireless medium. Then an MS uses management frames called
Probe Request to actively scan a channel and discover point of
attachments operating on it.
In both OPERATING modes, an MS can probe channels by
broadcasting Probe Requests and waiting for Probe
Responses from APs or other MSs
The IEEE 802.11 standard defines two timers, namely
MinChannelTime (MinCT) and
MaxChannelTime (MaxCT)

to determine the time an MS needs to wait on a channel after

having sent a Probe Request.
MinCT defines the maximum time to wait for a first Probe
Response. If a Probe Response is not received within MinCT, the
MS considers that the channel is empty, and starts the process in
a different channel.

 Otherwise, if a Probe Response is received within MinCT,

then the MS waits up to MaxCT for further Probe Responses
from other nodes on the same channel.
Nevertheless, in the infrastructure mode, an MS should
start a discovery process each time it switches APknown
as LAYER 2 HANDOVER to join a new Basic Service Set
(BSS).

 The scanning process characterize by two salient

metrics:
The full scanning failure
The full scanning latency.

A full scanning failure is defined as the

impossibility to discover any of the MSs or APs
within all the available scanned channels.
The full scanning latency corresponds to the time
spent during the scanning process, i.e., to scan all
available channels one after the other in
whatever order.

Optimization of scanning
latency
One simple way to reduce the full scanning

latency is to use SELECTIVE SCANNING which

allows to only scan a subset of channels, instead
of probing each of them.
Regardless of reducing the scanning latency,
this approach is sensible to the channel subset it
assumes with activity. If this assumption is not
correct, it falls into a full scanning failure since
no AP could be found
Another proposed optimization has focused on
reducing the value of the scanning
timers(MinCTandMaxCT)
1. Fixed Timers
2. Adaptive Timers Scanning

SELECTIVE SCANNING
PROCEDURE

SCANNING STRATEGIES

there are four strategies to set the values for these

timers:
FIXED TIMERS :This strategy consists in fixing predefined

values for both MinCT and MaxCT, which determine the time
an MS will wait on a channel for APs responses. Low values
will provide low full scanning latency, but will increase the
risk of missing AP since the MS does not wait long enough to
get a response.
ADAPTIVE TIMERS SCANNING:

AAS (Aggressive Adaptive Strategy) In this strategy initial

conditions are set to the minimum thresholds values (6ms and
8ms for MinCT and MaxCT respectively)
FAS (Fair Adaptive Strategy) Using FAS, the MS uses half the
maximum thresholds values as initial conditions (17ms and
24ms for MinCT and MaxCT respectively).
NAAS (Non-Aggressive Adaptive Strategy) Within NAAS,
the MS sets the initial conditions to the maximum threshold
values (34ms and 48ms for MinCT and MaxCT respectively).

802.11 Frame and Message Types

802.11 Frame and Message Types:
Three types of MAC frames (MPDUs) traverse a wireless LAN:
control, data, and management. Each of the services described
are carried by one or more of these frame types. A MAC frame
has up to four, but usually three, address fields. Each address
field is the same format as an IEEE 802 MAC address. The
following five address types are used:
BSS Identifier (BSSID) - Identifies the AP of an infrastructure
BSS. For an IBSS (ad hoc network) this is a locally-administered
random number.
Destination Address (DA) - Identifies the final recipient(s) of
the frame.
Source Address (SA) - Identifies the initial source of the frame.
Receiver Address (RA) - Identifies the immediate recipient
AP(s) on the wireless DS.
Transmitter Address (TA) - Identifies the AP that transmitted
the frame onto the wireless DS.

802.11 AUTHENTICATION and

ASSOCIATION
The station first needs to be
authenticated by the AP in order to join
the APs network.
802.11 defines two authentication
subtypes: Open system and shared key
Next Step after authentication is
Association which enables data transfer
between MS and AP.
The MS sends an association request
frame to the AP who replies to the client
with an association response frame either
allowing are disallowing the association.
Once the association is successful, the AP
issues an Association ID to the client and
adds the client to its database of
connected clients.

DATA TRANSFER
MECHANISM
Data transfer allowed only after authentication

and association.
Attempting to send data to an AP without proper
authentication and association causes AP to
respond with a de-authentication frame.
Data frames are always acknowledged. If a client
sends a data frame to an AP, the AP must send an
acknowledgement. If the AP sends a data frame
to a client, the client must send an
acknowledgement
The AP will forward data frames received from the
client to the required destination on the wired
network. It will also forward data directed to the
client from the wired network.

THE HANDOFF
A Handoff occurs when a mobile station moves
beyond the radio range of one AP, and enters
another BSS (at the MAC layer). During the
handoff, management frames are exchanged
between the station (STA) and the AP.
Also the APs involved may exchange certain
context information (credentials) specific to the
station. Consequently, there is latency involved in
the handoff process during which the STA is
unable to send or receive traffic.

THE HANDOFF PROCESS

The handoff function or process refers to the mechanism or
sequence of messages exchanged by access points and a
station resulting in a transfer of physical layer connectivity and
state information from one AP to another with respect to the
station in consideration.
Thus the handoff is a physical layer function carried out by at
least three participating entities, namely the station, a prior-AP
and a posterior-AP. The AP to which the station had physical
layer connectivity prior to the handoff is the prior-AP, while the
AP to which the station gets connectivity after the handoff is the
posterior-AP.
The state information that is transferred typically consists of the
client credentials (which allow it to gain network access) and
some accounting information. This transfer can be achieved by
an Inter Access Point Protocol(IAPP), or via a proprietary
protocol.
Looking at it another way, the handoff-latency would be strictly
greater than association latency as there is an additional interaccess point communication delay involved.

Steps during Handoff:

The handoff process can be divided into two logical
steps: discovery and reauthentication .
Discovery: The discovery process involves the handoff
initiation phase and scanning phase .When the STA is
moving away from the AP it is currently associated with,
the signal strength and the signal-to-noise ratio of the
signal from the AP decrease. This causes the STA to
initiate a handoff.
Now, the STA needs to find other APs that it can connect
to. This is done by the MAC layer scanning function.
Reauthentication: The station attempts to
reauthenticate to an AP according to the priority list. The
reauthentication process typically involves an
authentication and a reassociation to the posterior AP.
The reauthentication phase involves the transfer of
credentials and other state information from the old-AP